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Abstract. A central paradigm behind process semantics based on ob- 
servability and testing is that the exact moment of occurring of an in- 
ternal nondeterministic choice is unobservable. It is natural, therefore, 
for this property to hold when the internal choice is quantified with 
probabilities. However, ever since probabilities have been introduced in 
process semantics, it has been a challenge to preserve the unobservability 
of the random choice, while not violating the other laws of process theory 
and probability theory. This paper addresses this problem. It proposes 
two semantics for processes where the internal nondeterminism has been 
quantified with probabilities. The first one is based on the notion of test- 
ing, i.e. interaction between the process and its environment. The second 
one, the probabilistic ready trace semantics, is based on the notion of ob- 
servability. Both are shown to coincide. They are also preserved under 
the standard operators. 



1 Introduction 

A central paradigm behind process semantics based on observability (e.g. [11]) 
is that the exact moment of occurring of an internal nondeterministic choice is 
unobservable. This is because an observer does not have insight into the internal 
structure of a process but only in the externally visible actions. Unobservability 
of internal choice has been also accomplished by the testing theory [60. It is 
natural, therefore, for this property to hold when the internal choice is quanti- 
fied with probabilities. However, it turned out that unobservability of internal 
probabilistic choice is not trivial to achieve in probabilistic testing theory. To 
explain why, we start with an example. 

Motivation Consider a machine which flips a fair coin internally. A user can guess 
the result of the flipping by pressing a "head" or a "tail" button. If the user has 
guessed correctly, the machine offers a prize. The machine can be modeled by 
process graph (or shortly process) s in Fig. Q] and the user can be modeled by 
process u in Fig. [TJ The user is happy if, after pressing a button, a prize follows. 

1 In fact, the process semantics based on [11] and [6] do coincide for a broad class of 
processes, as shown in [19]. 
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Fig. 1: Processes s and s are distinguished in probabilistic may/must testing theory 

Let the user and the machine interact, i.e. let them synchronize on all actions 
(except on the "user happiness" reporting action ©). In terms of testing theory 
[6], process s is tested with test u. Intuitively, the probability that the user 
has guessed the output of flipping is \. That is, the probability of a © action 
being reported is i. However, most of the existing approaches for probabilistic 
testing, in particular probabilistic may/must testing [7,12,20,23,25], do not 
give this answer. Consider the synchronization s || u represented by the graph 
in Fig. [TJ where actions are hidden after they have synchronized. In order to 
compute the probability of © being reported, the approaches in [7, 12, 20, 23, 
25] use schedulers, that have insight into the internal structure of the graph 
of the synchronized system. Each scheduler resolves the nondetcrminism in the 
nondeterministic nodes of s || u and yields a fully probabilistic system. For s || u 
in Fig. [U there are four possible schedulers, which yield the following set of 
probabilities with which s passes the test u: {0, \, 1}. We can see that, because 
the power of the schedulers is unrestricted, unrealistic upper and lower bounds 
for the probabilities are obtained. Observe that this happens due to the effect of 
"cloning" the nondeterminism after hiding the synchronized actions. The choice 
between h and t has been "cloned" in both futures after the probabilistic choice 
in s || u. When resolving nondeterminism in s || u, a scheduler assumes that the 
user has unrealistic power to see the result of the coin-flipping before guessing. 

The above example challenges us to reconsider the design choice to hide ac- 
tions after synchronization. Namely, although hiding is harmless and actually 
useful in [6] , and helps to abstract away from unnecessary information, in prob- 
abilistic testing it may actually "hide too much" and produce overestimation of 
the probability information about the system. It is highly undesirable to obtain 
lower and upper probability bounds of and 1 resp. for the probabilistic be- 
haviour of a simple system (as the one in Fig. Q}, when the actual probability is 
i. This may render a testing equivalence insufficient for verification purposes. 

Consider now process s in Fig. [1] To the user this graph may as well represent 
the behaviour of the coin-flipping machine - the user cannot see whether the 
machine flips the coin before or after making the "head or tail" guess. According 
to her, the machine acts as specified as long as she is able to guess the result 
in half of the cases. In fact, both schedulers applied to s || u yield that the 



probability of reporting a © action is exactly |. Because of the last, none of the 
approaches in [7,12,20,23,25] equate processes s and s, as, when tested with u, 
they produce different bounds for the probabilities of reporting ©. Note that 
being able to equate s and s means allowing distribution of external choice over 
internal probabilistic choice [11]. 

Not allowing distribution of external choice over internal probabilistic choice 
has an additional effect, undesirable for compositional verification. Namely, if 
distribution of external choice over internal probabilistic choice is not allowed, 
then distribution of prefix over internal probabilistic choice is questioned too, as 
this implies congruence issues for asynchronous or concurrent parallel composi- 
tion [11] (where processes synchronize on their common actions while interleave 
on the other actions). For instance, we would not be able to equate processes 
e.a.{b®i c) and e.((a.6)©i (a.c)). (The operator "." stands for prefixing and the 
operator "©" stands for a probabilistic choice.) This is because these two pro- 
cesses, running each concurrently with process e.d, yield systems that cannot be 
equated, unless we allow distribution of external choice over internal probabilis- 
tic choice. If we are not able to relate processes e.a.(b(B i c) and e.((a.o)©i (a.c)), 
i.e. to allow distribution of prefix over internal probabilistic choice, then for ver- 
ification we can only rely on equivalences that inspect the internal structure of 
processes, as bisimulations and simulations [10], and, moreover, expect overesti- 
mation of probabilities. 

All together, the above discussions trigger the following question: "In a model 
where the internal nondeterminism has been quantified with probabilities [14], 
is it possible to test process s with test u (Fig. [I} such that the result of testing 
would imply that the probability of s passing the test u is exactly i?" . In this case 
not only we could preserve the information on probability, but we could also allow 
distribution of prefix over probabilistic choice without losing compositionality. 

Contributions In this paper we show that the answer to the above question is 
positive. The main contributions of the paper are the following: 

— We introduce a technique for labeling the synchronized actions when a re- 
active probabilistic process is tested (Section [3J . The labels are in form of 
rational functions, whose argument names are constructed from the action 
labels set. The labeling is achieved automatically when processes synchro- 
nize, i.e. no additional manipulation on the process graphs is needed. 

— We propose a testing semantics (Section [3]) exploiting the new labeling 
method, such that the result of testing process s with test u in Fig. [1] is 
^, and processes s and s in Fig. [1] are testing-equivalent. 

— We define a probabilistic ready trace equivalence for reactive probabilistic 
processes using the Bayesian definition of probability (Section [4]). The defi- 
nition allows a testing scenario in the lines of [4, 10] to be easily constructed. 

— We define an algebra of finite processes and show that the ready trace equiv- 
alence is congruence for the standard operators (Section [5]) . 



2 If we ignore the probabilities, processes s and s are testing-equivalent by [6] . 



— We show that all operators of our algebra, including external choice, dis- 
tribute over probabilistic choice, allowing us to consider the latter one as 
unobservable (Section [5]). 

— We show that the testing equivalence of Sec. [3] and the ready-trace equiva- 
lence of Sec. 0] coincide (Section [H]). 

Section [7] ends with concluding remarks, future work directions regarding 
coexistence of probabilistic and internal choice, and related work. 

2 Preliminaries 

We define some preliminary notions needed for the rest of the paper. 

Bayesian probability For a set A, 2 A denotes its power-set. The following defi- 
nitions are taken from [15]. 

We consider a sample space, f2, consisting of points called elementary events. 
Selection of a particular a G Q is referred to as an "a has occurred" . An event is a 
set of elementary events. A, B,C, . . . range over events. An event A has occurred 
iff for some a € A a has occurred. Let A\, A2, . . ■ be a sequence of events and 
C be an event. The members of the sequence are exclusive given C, if whenever 
C has occurred no two of them can occur together, that is, if A4 fl Aj H C = 
whenever i ^ j. C is called a conditioning event. If the conditioning event is 12, 
then "given J7" is omitted. 

For certain pairs of events A and B, a real number P(A\B) is defined and 
called the probability of A given B. These numbers satisfy the following axioms: 

Al: < P{A\B) < 1 and P{A\A) = 1. 

A2: If the events in {Aj}?^ are exclusive given B, then P(U^. 1 j4j | B) = 
A3: P(C\A n B) ■ P(A\B) = P(A n C\B). 
For P(A\il) we simply write P{A). 

Probabilistic transition systems In a probabilistic transition system (PTS) there 
are two types of transitions, viz. action and probabilistic transitions; a state can 
either perform action transitions only (nondeterministic state) or (unobserv- 
able) probabilistic transitions only (probabilistic state). To simplify, we assume 
that probabilistic transitions lead to nondeterministic states. The nondetermin- 
istic states exhibit only a so-called external (observable) nondeterminism, i.e the 
choice is between the actions, but once the action is chosen, the next state is 
determined. The outgoing transitions of a probabilistic state s define probability 
over the power-set of the set of nondeterministic states. 

We give a formal definition of a PTS. Presuppose a finite set of actions A. 

Definition 1 (Probabilistic Transition System (PTS)). A PTS is a tuple 
V = (S n ,S p , —+), where 



— S n and S p are finite disjoint sets of nondeterministic and probabilistic 
states, resp., 

> C S n x A x S n U S p is an action transition relation such that (s, a, t) G — ► 

and (s, a, t') G — > implies t = t', and 

— — > C S p x (0, 1] x S n is a probabilistic transition relation such that, for all 
3 e Sp, E( s , w ,t)e— L 

We denote £„ U 5 P by 5. We write s —> t rather than (s, a, t) G — >, and s --■» i 
rather than (s, it, t) G --■» (or s --■> i if the value of 7r is irrelevant in the context). 
We write s to denote that there exists an action transition s s' for some 
s' G S. We agree that a state without outgoing transitions belongs to S n . 

As standard, we define a process graph (or simply process) to be a state s E S 
together with all states reachable from s, and the transitions between them. A 
process graph is usually named by its root state, in this case s. 



3 Testing equivalence 

In this section we define a testing equivalence in the style of [6] for reactive 
probabilistic processes. 

Recall from elementary mathematics that a division of two polynomials is 
called a rational function. For example, — §- is a rational function with arguments 

x-\-y 

x and y. A possible domain for this function is (0, oo) x (0, oo). We are going 
to exploit a subset 1Z of the rational functions whose argument names belong to 
the action labels A, which is generated by the following grammar: 

tp ::= a \ a \ ip + tp \ tp ■ tp \ -, 

f 

where a is a non-negative scalar, a G A, and +, •, and 7 are ordinary algebraic 
addition, multiplication and fraction, resp. Brackets are used in the standard 
way to change the priority of the operators. For our purposes, we assume that 
the arguments a, 6, ... can only take positive values, i.e. the domain of every 
function in 1Z is (0,oo) n , where n is the size of the action set. Therefore, two 
rational functions in 1Z are equal iff they can be transformed to equal terms 
using the standard transformations that preserve equivalence (e.g. for a, b G A, 

1 _a 1 1 b _ l-(a+b) _ 1\ 

2 ' a+b ' 2 ' a+b 2-(a+b) 2>' 

As standard, a test T is a finite process such that, for a symbol lu ^ A, there 
may exist transitions s ^> for some states s of T. Denote the set of all tests by 
T. Given a process s and action a G A, denote by s a the process (if exists) for 
which s s a . Given a PTS V = (S n , S p , — >, --->), let /: S n 1— > 2 A be a function 
such that, for all a G A, s G S n , it holds a G I(s) iff s I(s) is called the 
menu of s. Intuitively, for s £ S„, I(s) is the set of actions that the process s 
can perform initially. Next, we define the result of testing a process with a given 
test. The informal explanation follows afterwards. 



Definition 2. The function Res: S x T i— > 1Z that gives the result of testing a 
process s with a test T is defined as follows: 



Res(s,T) = < 



1, ifT^U, 

^2 ieI fti ■ Res(si, T), if s --% Si for i G / and T f+ 

Y,iei n i ' Res ( s , Ti), ifT --% Ti for i £ I and s /--> 

EaeK Y^Tb ■ Res(s a , T Q ), /or K = I(s) n J(T), otherwise. 



As usual, the result of testing a process with a test denoting success is 
one, while the result of testing a process with a probabilistic state as a 
root (i.e. initially probabilistic process) is a weighted sum of the results 
of testing the subsequent processes with the same test. Similarly when the 
test is initially probabilistic. The novelty is in the result of testing an 
initially nondeterministic process s with a test T that can initially per- 
form actions from A only. Namely, when the process and the test synchro- 
nize on an action, the resulting transition is labeled with a "weighting fac- 
tor" , containing information about the way this synchronization happened. 
This information has form of a rational function, the I o I 

numerator of which represents the synchronized ac- . ± 

tion itself, while the denominator is the sum of the Jl. ° ~t— Ji- ° -r—~ — 

' h + t J \ h+t h+t J V h + t 

common initial actions of s and T, i.e., all actions on r \ r \ 

. o o o o 

which s and T could have synchronized at the cur- e | e ^ 

rent step. Then, the rational function is temporarily P o P o 

treated as "symbolic" probability, in order to com- ©\ ©\ 

pute the final result of the testing. The final result ° ° 
is again a rational function in 1Z. 

Fig. [2] represents graphically the result of testing Fi §' 2: Gra P hical represen- 
p . m -ii ii c ii tation of the result of test- 
process s in 1 lg. [1] with the test u from the same . _ 

figure. It is easy to compute that the result of testing mg S lg ' W1 U 
is equal to \, which establishes one of our goals set in Section [TJ However, in 
many cases the result is a non-scalar rational function. For example, denote by 
"+" the external choice operator. The result of applying test h.p.uj + t.ui to each 
of processes s and s in Fig. Q] is 2(h+t) • 

Definition 3. Two processes s and s are testing equivalent, notation s K,q- s, 
iff Res(s, T) and Res(s, T) are equal functions for every test T. 

Obviously, comparing two results boils down to comparing two polynomials, 
after both rational functions have been transformed to equal denominators. 

Example 1. Consider the processes in Fig. [3] The test a.u + b.c.uj distinguishes 
between the two processes. 



Remark 1. Def. [2] assumes that, when the process and the test are ready to 
synchronize on an action, the test can see which actions have been offered from 
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Fig. 3: Processes s (left) and s (right) are not testing equivalent 



the process. This corresponds to the user (e.g. u in Fig. [T]) being able to see 
the menu that the machine (e.g. s in Fig. [T|) offers. Note that this assumption 
does not exist in the standard non-probabilistic testing theory [6]. However, 
in real-life systems this is usually the case. Moreover, this assumption is mild 
with respect to probabilistic may/must testing approaches, where one needs to 
know the complete internal structure of the composed process, which, on the 
other side, yields unrealistic over-estimations of probabilities. In contrary, in our 
case, in order to compute the function Res(s,T), it is not necessary that the 
probabilistic transitions of s and their labels are known. Their effect can be 
inferred statistically, by testing s with T sufficiently many times. To simplify 
the presentation, we do not go into details on statistical testing. 

4 Probabilistic ready trace semantics 

In this section we define a probabilistic version of ready trace equivalence [1,21]. 

Definition 4 (Ready trace). A ready trace of length n is a sequence O = 
(Mi, ai, M 2 , d2, • ■ ■ , M n -i, a„_i, M n ) where Mi G 2 A for alii G {l,2,...,n} 
and ai G Mi for all i G {1, 2, ... ,71 — 1} . 

We assume that the observer has ability to observe the actions that the process 
performs, together with the menus out of which actions are chosen. Intuitively, 
a ready trace O = (Mi, ai,M^, 0-2, . . . , M„_i, a n _i, M n ) can be observed if the 
initial menu is Mi, then action ai S Mi is performed, then the next menu is M2, 
then action 02 G M2 is performed and so on, until the observing ends at a point 
when the menu is M n . It is essential that, since the probabilistic transitions are 
not observable, the observer cannot infer where exactly they happen in the ready 
trace. 

Clearly the probability of observing a ready trace ({a, 6}, a, {c}) is condi- 
tioned on choosing the action a from the menu {a, b}. This suggests that, when 
defining probabilities on ready traces, the Bayesian definition of probability is 
more appropriate than the measure-theoretic definition that is usually taken. 

Next, given a process s, we define a process S(M,a)- Intuitively, S(M,a) i s the 
process that s becomes, assuming that menu M was offered to s and action a 
was performed. 

Definition 5. Let s be a process graph. Let M C A, a G M be such that I(s) = 
M if s G S n or otherwise there exists a transition s ---> s' such that I(s') — M. 
The process graph StM,a) * s obtained from s in the following way: 
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Fig. 4: Example of a process s (left) and S({ a .6},a) (right). 



— if s £ S n then the root o/s(m,o) is fie siaie s' such that s — > s', and 

— if s £ S v then a new state S(m a ) is created. Let tt = V] »i 7Tj. for 

s--*Si,I(si)=M 

all s'i such that s --% Sj and /(s-i) = M: 

■Kij-n 

• */ s i /""*> i/ien an edge S(m,«) is created; 

Pi KiPi/ft 

• for all transitions s[ --■* s(, an edge S(M,a) s '( is created. 

Example 2. Consider processes s and S({ a .6}. a ) m Fig- HI Assuming that the ini- 
tial menu of s was {a, 6} and action a was performed, process S({ aj {,} !a ) describes 
the further behaviour of s: with probability |/(| + §) = \ action c is performed, 
while with probability §/(| + §) = § action d is performed. 



Definition 6. Let (Mi, ai, M2, a 2 , . . . , M ra _i, a n _i, M n ) &e a ready 
irace 0/ length n and s be a process graph. Functions P}(M) and 
P™(M n \Mx, 01, . . . M n _i, a„_i) (7or n > are defined in the following 
way: 

P. 1 , (M) */ S G5 p , 

I?(M) = {l if s € S n , I(s) = M, 

otherwise. 

(P} {Mic jM 2 ) ifP}(M 1 )>0, 
I undefined othe 



P^M 2 \M 1 ,a 1 ) 
P?(M n \M u a u ...,a n -i) = 



lerwise. 



P s ( :l ai) ( M n\M2, a 2 ,..., a n _i) P^Mi) > 0, 
undefined otherwise. 



Let the sample space consist of all possible menus and s £ S. Function P}(M) 
can be interpreted as the probability that the menu M is observed initially when 
process s starts executing. Let the sample space consist of all ready traces of 
length n and let s £ S. The function P™(M n \M\, ai, . . . M n _i, <z„_i) can be 
interpreted as the probability of the event {(Mi, a%, . . . , M n -%, <z n _i, M„)}, given 
the event {(Mi, ai, . . . M„_i, a n _i, X) : X £ 2 A }, if observing ready traces of 
process s. It can be checked that these probabilities are well defined, i.e., they 
satisfy the axioms A1-A3 of Section [2l 



Definition 7 (Probabilistic ready trace equivalence). Two processes s and 
s are probabilistically ready trace equivalent, notation s Wg s, iff: 

- for all M in 2 A , P}{M) = P±(M) and 

— for all n > 1, P™(M„|Mi, ai, . . . M„_i, a n -i) is defined if and 
only if P™(M„|Mi, ai, . . . M„_i, a n -i) is defined, and in that case 
i?(M n |Mi,ai,...M n _i,a n _i) = P?(M n \M u a u . . . M n _i, a n _i). 

Informally, two processes s and s are ready-trace equivalent iff for every n and ev- 
ery ready trace (Mi, ai, M2, 02, . . . M n ) , the probability to observe M„, under 
condition that previously the sequence (Mi, ai, M2, 02, . . . ffln-i) was observed, 
is defined at the same time for both s and s; moreover, in case both probabil- 
ities are defined, they coincide. Note that it is straightforward to construct a 
black-box testing scenario [4, 10] for this ready-trace equivalence. 

Example 3. Processes s and s in Fig. [I] are ready-trace equivalent. Processes in 
Fig.[3]are not ready-trace equivalent: for process s it holds P^({c}\{a, b}, b) = i, 
while for process s it holds P ( 2 ({c}|{a, b}, b) = 0. 

5 Algebra 

In this section we define an algebra CSP p of finite processes using k, as an 
underlying equivalence. The purpose is to show that «e> is congruence for the 
standard operators on the model of reactive probabilistic processes and that 
all operators distribute through probabilistic choice, as all operators distribute 
through internal choice in standard CSP [11]. As discussed in Sec. [TJ we do not 
use hiding operator. For more discussions on including internal nondeterminism 
in general, please see Sec. [71 

The set of CSP P processes P is generated by the following grammar: 

P ■■= ^ I E ie i a i- p i I © i6 /T<P< I 6> p I P II P I P \\l P 

where S $ A is a new symbol, {ai}ig/ C .A, a, ^ dj for i,j £ I, i ^ j, 7r; G (0, 1], 
y^-cj ?Ti = 1, and L C A is the set of actions that appear both in the left and in 
the right process of the expression P \\l P. 

Let p,q,r,... range over CSP p processes. The constant S stands for the empty 
process. The process a.p performs the action a and continues as process p (we 
write a rather than a. 5). The external choice J2iei a i-Pi stands for a choice 
among the actions {ai}i^i and proceeds as process pj if action a 3 is chosen and 
executed. The probabilistic choice ©j £ j t^%P% behaves as pi with probability 7r.j 
for i S I. The priority operator assumes a partial order > on A. For actions 
a and b, we say a has higher priority than b iff a > b. O forces the process 
to always perform the action with the highest priority in the current menu. In 
a synchronized parallel composition p || q, the processes operate in a lock-step 
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Table 1: Operational semantics for CSP p processes 



synchronization. In a parallel composition p \\l q, the processes synchronize on 
their common actions, while the other actions are interleaved. □□ 

Table [1] represents the operational semantics of CSP p processes (we omit the 
symmetric rules for \\l and ||). 

As usual, a context is a CSP P process with a hole in it. Given a context C[-] 
and a process p, we write C[p] to denote the process obtained by filling in the 
hole of C[-] with p. 

Theorem 1 (Congruence). The equivalence is congruence for the opera- 
tors of CSPp, i.e., ifp ~o P then for each context C[-\, it holds that C[p] «o C\p]. 

Proof. We prove the congruence result for parallel composition, because this is 
the most complicated case. We prove that if p ~o P then p \\l q «e> p \\l q. 
Denote by L the set of the common actions for p and q (and therefore p 
and q). Without loss of generality, assume that p,p, and q are probabilis- 
tic processes. For arbitrary menus M', M", denote by M' <E> M" the menu 
{M> U M") \{L\ (M' n M")). 

By induction on n, we prove that if p ~o P then 

For arbitrary menus M p and M q , we have P p (M p ) — Pp(M p ). Let M be a 
menu such that P^i ? (M) > 0. This means that there exist menus M p , M q such 



3 To preserve associativity of we require that for any processes p, q, and r, if p and 
q share actions and q and r share actions then p and r do not share actions. 

4 Sequential composition and successful termination can be also defined, which we 
avoid here to shorten. 



that P^(M p ) > 0, P£(M q ) > 0, and M = M p ® M q (by Table HJ. We have, 



pl v\U M )= E A * = E *i'Pi 

\ k TTj Pj 

V \\h 1 — * r k , P —* Pi,Q — ♦ Qj, 

I(r k ) = M I(pt) ® I{ qj ) = M 

- E Pi E *<= E Pi E ^ = p Pu q ( M )- 

Pj T| Pj 7T^ 

9--+9j p—*Pi,M=i(pi)®i{qj) q--*qj p—+Pi,M=i(Pi)®i(qj) 



Suppose P£ ||ig) (M*|Afi, a u . . . M k -i,ak-i)=P^ mLq) {M k \M u ai, . . . M k -i,a k -i) 
if p ~o P and k < n. 



Case 1 Suppose first that both P^^(M n \M\, ai, . . . M„_i, a n _i) 
and )(M„|Mi, ai, . . . M„_i, a„_i) are defined. Because 

of Def. |6] and the inductive assumption, it is enough 
to prove that ^(p|U«) (Mli4l) (M n \M 2 , a 2 , . . . M n _ x ,a n _ x ) 
P(p\\l q ) (M j (Mn\M2, 0-2, ■ ■ ■ Mn-i, « n -i)- Because of the inductive assumption, 
to prove the last, it is enough to prove that (p \\ L q)( Ml , ai ) ~o (p \\l q)(M uai ) ■ 



Case 1.1 a% = a G L. 



Denote ^2 pj ^iPj by a. By Def. [5] and the rules in Table 

p--*Pi,q--+qj,l{pi)®l(qj)=M 1 

[TJ we have 



(phq)(M u a)= ^-(Pic/to,)..) h «jcx(«j )..))• W 



P — ♦ Pi, 8 — » 9j> 

i(pi)®i(qj) = Mi 



On the other hand, denoting J2m 1= m ®m Pp(M p )P q (M q ) by /?, we have 



m P P (M p )P q (M q ) / 

a (P(M p ,a) ||L <?(M,,a) 



Mi=M p iS 

p p (m p )p,(m,u 



e 



p--+Pi,I(pi)=M p q --* qj J( qj )=M q 



M 1= M p ®M q P 7 



X 



P p (M p )P g (M,)( K(A/ -" ) I|l * (m -"») 

P — *•» Pi,I(Pi) - Af p , 
9 — ► = M i 



P ~* Pj, 9 — » 9J. 
Mi = I(pi)®I(qj) 



From ((T|) and ([2]) we have 



/m \ P P (M P )P q (M q ) / \ 

(p IU g) ( M 1>o) = ^ Em m pjMjp„fM„)^ M -°) I|l 9(M - a V- 

Mp,M 9 :A/i=Mpi8)Af g ^M p ,M q 

(3) 

Similarly, 



tell a - m Pp(M p )P q (M q ) ( _ \ 

(P h q) { M u a) = Em m Pp(M p )P g (M 3 )l^ M -°) IU 

M p ,M q --M 1 =M p ®M q ^M p ,M q P\ PJ Q\ QJ 

(4) 

From the inductive assumption and because p «g p and ~q is congruence 
for 0, we have 



P p (M p )P q (M q ) 
Pp(M p )P q (. 

^ Em m P P (M p )P q {M q )\ P{M *- a) l|L 9 <^«>> (5) 

M, =M„«M„ ^M p ,M q V 9\ 9' 



m P p (M p )P q (M q ) / 

^ Em m P p (M p )P,(M,) l P(M - o) " L 9(M - a) 

M p ,M g --M 1 =M p ®M q £—'Mp,M q P\ PI Q\ 1) 



P p (M p )P q (M q ) 

Alp , Af , : Mi = Mp ® Af , t-~mAp,Mq 

From ©, (01), and (J5j) it follows that (p || L q)( Mu a) = ip \\l ?)(m I)0 



Case 1.2 a\ ^ L, a\ appears in p. The proof is similar to Case 1, with 
the difference that instead of a process q/j^ we use a process q/j^ \. The 
last one is defined by a process graph obtained in a similar way as qrj^ 
with the exception that q(M ) is "ready" to choose any action from the menu M q . 

Case 1.3 ax ^ L, a\ appears in q - symmetric to Case 2. 

Case 2 Suppose now that PK, q JMk\Mx, a%, . . . M^-x, ak-i) is de- 
fined but PK,, q JMk\Mx, ax, . . . M/ c _ 1 , etfc_i) is not defined. Either 
P( p || ig )(Mi) > while P^ Lq ^(Mx) = 0, which is not possible be- 
cause p wg p, or P^\l q ) (M a ) (M k \M2,a2,...M k -x,a,k-x) is defined but 
F^T, 1 s (MJM 2 , d2, . . . Mk-x, a/c-i) is not defined, which again is not 

possible because of the inductive assumption. 

The following two theorems formulate the laws of distributivity of the oper- 
ators over probabilistic choice. 

Theorem 2. For processes {xij}i£ij£j and actions {ai}i£i C A, it holds 

Proof. Let M = {ai} ie7 , p = V ( . ; ",.0,, , -,..r,, and p = jeJ TrjJ2iei a i- x v 
Then, it is easy to show that, for every i E I, P(M.ai) ~o P(u,ai)- Let n > 1 and 
(Mi, bx, ■ ■ ■ M n ) be an observation. Then, 



P£(M n \Mx, bx,..., b n _x) 
and 



{ P Hm iM ( M n\M 2 ,b 2 , . . . bn-i) if Mx = M, bx E M 
1 undefined otherwise, 



= [P? m \ M (M n \M 2 ,b 2 , • • • K-x) if Mx = M, bx E M 



undefined otherwise. 
Now, it easily follows that p «e> p. 
Theorem 3. For every context C[-}, it holds C[Q) ieI TViXi] ~o ©ie/ 7r iC[ a 
Proof. By structural induction, similarly to the proof of Theorem [5] 



6 Relationship between and ~e> 

We establish our main result, namely that the testing equivalence ~r coincides 
with the probabilistic ready trace equivalence ~o- As an intermediate result, 
we prove that probabilistic transitions do not add distinguishing power to the 
tests. 

Theorem 4. Let s and t be two processes. If s «o t then s ~r t. 



Proof. Suppose s y&r t. There exists a test T such that Res(s,T) ^ Res(t, T). 
W.l.g., assume that s and t start with probabilistic transitions. By Def. [21 



Res(s,T)= Y Pi E Wi E r-Res(s ia ,T ja ). (6) 

T X Tj s-*-\ Si »e/(«)n/(Ti) 2-i6/(-.)n/(T,) 

By Def. from © we obtain 

Res( S ,T)= £ E P ^ M ) x 

Af':P^(M')>0 M:Pi(M)>0 

x y v ^ Res(s 

)• (7) 

a€MnM> ^beMnM' 

Similarly we obtain 
Res(i,T) = P t( m ') E P * 1 ( M ) x 

M':P^(M')>0 M:Pl(M)>0 



X 



E v rRes(i (M)0 ),T( M >)). (8) 

aeMnM' LbeMnM' 



Now, assume s «o f . Define a length of a test to be the length of the longest 
sequence of actions the test can perform before executing the action v. The proof 
is by induction on the minimal length of a nonprobabilistic test that distinguishes 
between s and t. 

Let T be a test of length 1 such that Res(s,T) ^ Res(f,T). From Def. [Hit 
follows that for every process it, 

Res( U ,T (Mia) ) = pi (M , a) (M). (9) 
From and (JSJ) we have 

Res( S ,T)= Y, P t( M ') E P s( M ) x 

M':Pj,(M')>0 M:P}(M)>Q 

x Y — ~ t^t , (M). 

aeMnM' ^beMnM' u 

(10) 

Similarly we obtain 
Res(i,T) = ^ P^(M') ^ P/(M)x 

M':P^(M')>Q M:P t 1 (M)>0 

>< E F a b P T iM ,Ji»})- 

(11) 



From ([TO ]) . ([IT] ) and from the assumption that P}(M) = P}{M) for every 
menu M, we obtain that Res(s,T) = Res(t,T), i.e. we obtain contradiction. 
Therefore, there exists a menu M such that P}(M) ^ P^(M), i.e. s tfco t. 

Let T be a test of length greater than one such that Res(s,T) ^ Res(i,T) If 
there exists a menu M such that P}(M) 7^ P^(M), then s t and the proof 
is over. Therefore, suppose P}(M) = P^(M) for every menu MCA. From Q 
and ||5J) we have that for some menus M, M' and action a £ M n M', it holds 
Res(s(M,a))^(M',o)) / Res(t( M ,a),7 1 (A/',a))- Now, by the inductive assumption, 
we have S(M,a) 9^e> i(M,a)> i- e - there exists a ready trace (Mg, 02, • • -Mf.) such 
that P*-^ (MfclMa, 03, • . • o*_i) 7^ (Af fc |M 2 , a 2 , . . . a fc _i) (or they are not 

defined at the same time). From the last, from the assumption that P}(M) = 
Pt(M) > 0, and from Def. © it follows that P*(M k \M, a, M 2 , a 2 , . . . a fc _ x ) ^ 
P t fc (Mfc|M, a, M 2 , 02, ■ • ■ ftfc-i) (or they are not defined at the same time), i.e. 
s 760 £• This completes the proof of the theorem. 

The following lemma, which considers the determinant of a certain type of 
an almost-triangular matrix, shall be needed in the proof of Theorem [5] 

Lemma 1. Let Q be a square nxn matrix with elements qij, for 1 < i < n and 
1 < j < n. Suppose £ {0, 1} for i > 1, qij = 1 for i = j + I, q^ = for i > 
j + 1, and qij = ^ for 1 < j < n, where Q\, Q2 ■ ■ ■ Qn « r e irreducible, mutually 
prime polynomials with positive variables, and of non-zero degrees. Then the 
determinant of Q is a non-zero rational function. 

Proof. The determinant Det(Q) of matrix Q can be obtained from the general 
recursive formula Det(Q) = X}j=i( — l) 1+J 3ijDet(Qij), where Qij is the matrix 
obtained by deleting the first row and the j-th column of Q. Observe that Qi n is 
an upper-triangular matrix, the diagonal elements of which are all equal to one. 
Since the determinant of a triangular matrix is equal to the product of its diag- 
onal elements, we have Det(Qi„) = 1. Therefore, the coefficient in front of the 
rational function i n Det(Q) is equal to 1. Suppose Det(Q) is a zero-function. 
Then, the rational function ^- is equal to a linear combination of . . . q 1 t ■ 

This means that the rational function Sll^fi"^ j s a polynomial. The last is 
impossible, since, by assumption, the denominator is irreducible polynomial of 
non-zero degree and is not contained in the numerator. Therefore, Det(Q) is not 
a zero-function. 

Theorem 5. Let s and t be two processes such that s 760 t. There exists a test 
T that has no probabilistic transitions such that Res(s,T) 7^ Res(i, T). 

Proof. We prove the theorem by induction on the minimal length m of a ready 
trace that distinguishes between s and t. For m = 1, we prove that the test T = 
2 rfM a - w > where M is a menu with a minimal possible number of actions such 
that Pl(M) 7^ Pt(M), distinguishes between s and t. For m > 1 the proof goes as 
follows. If Ps(M) — Pl{M) for every menu M, then by the inductive assumption 



it follows that there exists a test Ti, menu Mi and action a% £ Mi such that 
Res(s( Ml . ai j, Ti) 7^ Res(t( fl/l ai j, Ti). We show that there exists a subset of the 
action set, say Act, such that the test T = ai-Ti+^ beAct .cj distinguishes between 
s and t. To prove this, we take M± to be the menu containing a minimal possible 
number of actions such that Pl(M{) > 0, a\ £ Mi, and Res(s^M 1 ,a 1 ), Ti) 7^ 
Res(£(jvf li01 ), Ti). Then we take the set Act' to consist of the actions that can 
be initially performed by s but do not belong to menu Mi. Then, we show that 
there must exist a subset Act of Act' such that the test T — a\.T\ + X^eAcr^ 
distinguishes between s and t (otherwise, we obtain that Res(s(jfcf 1)0l ), Ti) = 
Res(i(M i ai ), Ti), which contradicts our assumption). 

We now proceed with a detailed presentation of the proof. 

From s j&o t and by Def. there must exist a ready trace (Mi, 01, . . . M m ) 
such that P™(M m \Mi,a x , . . . a m -i) ^ P^(M m \Mi,ai, . . . a m _i). The proof is 
by induction on m. 

Case 1 (to = 1) Suppose first that there exists a menu M such that 
P}(M) 7^ Pt(M). Let M be a menu with a minimal possible number 
of actions such that P}(M) ^ P/(M). Take T = £ a £ M a.cj. We have 
Res(,s, T) = 1 — YIm'cm Ps(M'), because the actions of s and T will 
fail to synchronize if and only if the random choice decides that menu 
M or some menu M' C M is offered to process s initially. Similarly, 
Res(i.T) = 1 - J2m'cm p t( M ')- Now > suppose that Res(s,T) = Res(t,T). We 
have T,m'omPs(M') = Em-cm^(^)- From this and P}(M) + P/(M), it 
follows that there exists a menu M' C M such that also P}{M') ^ P^M'). 
But this contradicts the assumption that M is a menu with a minimal possible 
number of actions such that P}(M) Pf(M). 

Case 2 (m > 1) Suppose now that P}(M) = P/(M) for 
every menu M. Let (Mi, oi, • • • M m ) be a ready trace such that 
P^- 1 (M m \Mi,ai,...a m -i) + P^- y (M m \Mi,ai,...a m - X ). From 
Pj(Mi) = Pt (Mi), and from Definitions [S] and M it follows that 
P ™A7 1 1 o l) ( M ™l M 2,a 2 ,...a m -i) ^ F™- 1 ai) (M m |M 2 ,a 2 ,...a m _i) (in case 
m = 2, -Pg (Af o j (Mj) 7^ P/ (M a j (M 2 )). Now, by the inductive assumption, there 
exists a non-probabilistic test Ti such that Res(s( A / 1 ni ) , Ti) 7^ Res(t( Mi ai j, Ti). 

Case 2.1 Suppose first that ai does not belong to any first-level menu of 
s other than Ml, i.e. that for every menu M, P y (M) > and ai £ M implies 
M = Mi. Then the test T = ai.Ti distinguishes between s and t. 

Case 2.2 Suppose now that ai belongs to at least one first-level menu 
of s other than Mi, i.e. there exists at least one menu M 7^ Mi such that 
Pg(M) > and a x £ M. Without loss of generality, assume that Mi is a menu 
with a minimal possible number of actions such that P*(Mi) > 0, ai £ Mi, 
and Res(s(M!.ai): Ti) 7^ Res(t(jvf 1)ai ), Ti). Let {bj}j^j be the set of actions that 
appear in the first level of s (and therefore t) but not in Mi, i.e. b £ {bj}j e j if 



and only if b £ Mi and there exists a menu M such that P^(M) > 0, b £ M. We 
shall prove that there exists J' C J such that the test T = ai.Ti + Yljej'bj-w 
distinguishes between s and t. More concretely, we shall prove that, assuming 
the opposite, it follows that Res(s(Mi,ai)> 1\) = Res(ttj^ 1>ai ), T\), thus obtaining 
contradiction. 

Case 2. 2. a Suppose first that {bj}j^j = 0. This means that there are no 
actions other than those in Mi, that appear in the first level of s. Therefore, 
all menus M for which P}(M) > satisfy M C Mi. We prove that the test 
T = ai.Ti distinguishes between s and t. Assume that Res(s,T) = Res(t,T). 
From the last and from Def. [2l we obtain 

(Res(s (M , ai) ,T 1 )-Res(t (M>ai) ,T 1 )) = 0. (12) 

A/:P s 1 (Af)>0,aiGMCAfi 

By assumption, for every M C Mi such that ai S M it holds 
Res(s( M ai ), Ti) = Res(i( Miai ), Ti). Therefore, from (fl~2)) we obtain 
Res(s( Ml Ti) = Res(t( Ml ai ), Ti), which contradicts the assumption 
^s(s {Muai) ,Ti) ^ Res(t (MljQl) ,Ti). 

Case 2.2.b Suppose now that {bjjje.j 0- Given action bi 6 {bj}je.J: 
denote by M.i the set of all first-level menus of s that contain bi and ax, i-e. 
M e Mt iff P}{M) > and b i: ax € M; denote by Mf the set of all first-level 
menus of s that do not contain bi but have Oi, i.e. M e A^p iff P}(M) > 0, 
6, ; g M and ai 6 M. 

Let T = ai.Ti + ^jej'bj-^ f° r some J' = {1,2, ...n} C J and sup- 
pose Res(s,T) = Res(t,T). Since P}(M) = P/(M) for every menu M, ob- 
serve that only if action ai is performed initially, it is possible for the test 
T = ai.Ti + ^2j£jrbj.Lu to make a difference between s and t. Because of this 
and by Definitions [2] and \5\ it follows that 

J2 ^P^M)(Res(s [M , ai)l Ti) - Res(t (M , ol) ,Ti)) 

MeJW°nx°_ 1 n---nxf 1 

+ E -xr^WCM^aO.TO-Res^Af^j.Ti)) 

H 

+ E ■ P s 1 (M)(Res( S(M , ai) ,r 1 )-Res(t (M;ai) ,T 1 )) 

- 0. (13) 

Each intersection appearing under the ^-operators of (|13p can be mapped bi- 
jectively to a binary number of n digits - the i-th digit being if the intersection 
contains A4^ +1 _ i , and 1 if the intersection contains M n +i~i- (For reasons that 
will become clear later, the order of the indexing is reversed.) 



Suppose Res(s,T) = Res(i, T) for every test T = a\.Tx + YljeJ'bj-U, where 
J' C J. We shall prove that, in this case, every sum ^(Res(s( Mai ), Ti) — 
Res(ttM,ai)i Ti)) that appears in Q13p when J' = J is equal to a zero-function. 
In particular, the equality 

(Res(s(M,a 1 ) ) 7 , i)-Res(*(M.«i)> T i)) = Q ( 14 ) 

will hold. Note that the set PljeJ contains all first-level menus of s that 
have the action a± but do not have any other action that does not appear 
in Mi. Therefore, H jeJ consists of the subsets of Mi that contain ai. 
Thus, the equation (j 14p is equivalent to the equation (| 1 2|) which leads to 
Res(s( fl / i ai ), Ti) = Res(t( Mi ai ), Ti), i.e. to contradiction. This would complete 
the proof of the theorem. 

We now proceed with proving the above stated claim. We prove a more gen- 
eral result, namely that for J' C J, under assumption that Res(s,T) = Res(t,T) 
for every test T = a x .Ti + J2iej" b i-U sucn tnat J " ^ J and \J"\ <\J'\,^ holds 
that every sum XXR es ( s (A:f,ai)i ^1) — R es (^(Af,ai)i ^l)) that appears in (fT5|) is 
equal to zero. 

Suppose first that J'\ — 1, i.e. J' = {1}. Assume that 

Res(s, ai.Ti) = Res(t, ai-Ti) (15) 

and 

Res(s,ai.Ti +6i.cj) = Resf>, ai.T x + 6i.w). (16) 
From (|15p . Def. and because P}(M) = P^(M) for every menu M, we obtain 



£ -ip s 1 (M)(Res( S(M , ol)! Ti)-Res(t (M ,a 1 ) ! ri)) = 0. (17) 

MeMiUM^ 1 
The equation (T5)) turns into 

J2 ^ i P s 1 (M)(Res( SWQl) ,T 1 ) - Res(t (M , ol)) Ti)) 

+ E -^br p «( M )( Res ( s (^) 5 T i)- Res (*(M,»i)' T i)) 

= 0. (18) 

Denote J2meM° P a( M )( Res ( s (M,ai), ?i) ~ Res(t( M ,a 1 ) > ?i)) by x and 

EmeM! ■ p iW( Res ( s (M,ai),?i) - Res(*(M,oi), b y ^i- 0ur S° al is t0 show 
that so = and x\ = 0, i.e. that they are zero-functions. From (fP7|) and (fP8|) we 
obtain the following system of equations for the unknowns xq and x\ : 

i—x + -^rr-zi = 

) ai v oi+fci l 

I a; + a;i = 0, 



or in a matrix form 



Qix = o, 

where 

Q a =(f ^) ) x=(^),andO=(°). 

Since the determinant of the matrix Qi is not a zero-function, it follows that 
xo = and x\ = is the only solution of the system. 

To present a better intuition on the proof in the general case, we shall also 
consider separately the case \ J'\ — 2. Let J' = {1, 2} and assume that Res(s, T) = 
Res(£,T) for every test T = a x .Tx + J2 iE J" b i- u such that J" C J and \J"\ < \J'\. 
The equation (fT5|) turns into 

J2 ^P s 1 (M)(Res( S(M ,a l) ^i) - Res(t {M , ai ),Ti)) 

+ E ^ L r ^ 1 (^)(Res( S (M,a 1 )^i)-Res(i (M . Ql) ,T 1 )) 

MeMSFrWii 

+ E -^7r p s 1 ( M )( Res ( s (M,a 1 ) i r 1 )-Res(t (M ,„ 1 ),Ti)) 

+ E — -f 1 - 7 -^ 1 (M)(Res( S(M!ai) ,r 1 )-Re S (i ( M,a 1 )^i)) 

■* — (2i + Oi -+" Do 

M£M 2 C)Mi 

= 0. (19) 

Denoting Y,MeM§nM? P s( M )( Re5 ( s (M,ai), T i)- Re s(£(M,ai), byx 00 and 
so on, (fT9j) turns into 

°1 °1 fl l °1 ^ /r,«\ 

— x oo H n - ^! H n - ^!" "I TT — 7T X ^ = °- ( 20 ) 

ai ai +oi ai + o 2 ai + b\ + b 2 

From J^MeM^ P s( M )( Res ( s (M, ai ),Ti) - Res(*( Mj01 ),Ti)) = we obtain 
zoo +2^01 = 0, and from Y,MeM 2 P s( M )( Res ( s (M, ai ), T{) - Res(i( M>0l) , Ti)) = 
we obtain x w + xn = 0. Similarly, from J2 MeMl Ps( M )( Res ( s (M, ai ), Ti) - 
Res(t(jvf iQl ), Ti)) = we obtain that xq% + x\\ = 0. Therefore, we have the 
following system of equations: 

' ^zoo + - 2 hrx 01 + -^hrx 10 + x n = 

a± uu ai+6i ul ai+0 2 ai+61+62 
Xoo + X 01 = 

Z01 +X U =0 

K x w + x n = 0. 



The main matrix of the system is 



Q 2 



ai ai+bi ai+b 2 ai+&l+t>2 

1 o o 

1 o 1 

1 1 



i 

o 

Vo 



By Lemma [TJ Det(Q 2 ) is not a zero-function, which implies that the vector 
of zero- functions is the only solution of the above system of equations. 

We now present how each matrix Q n +i can be obtained from the matrix Q n . 
In general, for M* E {Mi,Mf }, it holds 



P, 1 (M)(Res(s (M , ol) ,Ti) - Res(t (M>ai) ,Tx)) 

Me(nr=i M?)rvw„+i 
+ P s 1 (M)(Res( S(Mj0l)) T 1 )-Res(t (M , ai3 ,T 1 )) 
M"e(nr = i M*)nMj +1 

P a 1 (M)(Res(* (W)Bl) ,Ti)-Res(t (Jlf , ol)j r 1 )). (21) 

Me(n? =1 x*) 

This means that, in the general case, each solution x ili2 iri = of the system 
Q n x = generates the following equations for the next system: 



matrix: 







^1*2" 


ikQik+i—in 




fclifc+1- 


■in 


0. 


o < 


k < 


n. For example, 


in case 


\J'\ = 


3 we obtain tr 


/ SlL 

ai 

1 


ai 


ai 


ai 


ai 


ai 


ai 


ai 


ai+bi 
1 


ai+&2 




ai+fci+fc2 




ai+63 01+61+63 



ai+&2 




+63 ai+bl + 







1 





1 




















1 


1 























1 











1 














1 


1 























1 





1 


\o 

















1 


1 



Q 3 



/ 

Note that each row of Q3, except the first one, contains exactly two l's, at 
positions whose binary representations differ in exactly one place (for example 
at the positions 001 and Oil). 

Informally, the general algorithm for obtaining the elements q^ +1 of a 2 ,l+1 x 
2™ +1 matrix Q ra +i from matrix Q„, assuming Q„ is non-singular, is as follows. 
First, initialize all elements of Q„+i to zero. Then, copy Q„ into the upper left 
corner of Q„+i. Then, copy Q„, excluding the first row, into the lower right 
corner of Q„+i. Then, assign 1 to q% +1 for % = 2 n + 1 and j e {2",2 n+1 }. 



Finally, add the appropriate new rational fractions in the second half of the first 
row of Qn+i- The key observation is that in this way, we obtain again a matrix 
such that each row, except the first one, contains exactly two l's, at positions 
whose binary representations differ in exactly one place. Formally, 



9n+l 



a i+E fce jf b k +b„ +1 





if 1 < i < 2" and j < 2™, 

if i = 2™ + 1 and j e {2™, 2" +1 }, 

if 2™ + 1< i and 2™ < j, 

if i = l,j > 2", and q$ {j ~ 2n) = 

otherwise. 



ai+J2 k 



Assuming matrix Q„ satisfies the conditions of Lemma[Tl it easily follows that 
matrix Q n +i also satisfies the conditions of Lemma[T] Therefore, its determinant 
is not a zero function. This means that the system Q Jl+ ix = has only zero- 
functions as solutions, which we were aiming to prove. Therefore, the proof of 
the theorem is complete. 

From Theorems |4] and [5] the following statements directly follow. 
Corollary 1. For arbitrary processes s and t, s ~t t if and only if s ~o t. 

Corollary 2. For arbitrary processes s and t, s t if and only if there exists 
a test T without probabilistic transitions such that Res(s,T) ^ Res(i,T). 



7 Conclusion, future work, and related work 

Concluding remarks We have proposed a testing equivalence in the style of [6] 
for processes where the internal nondeterminism is quantified with probabilities. 
The testing semantics allows distribution of external choice over probabilistic 
choice, i.e. accomplishes unobservability of the internal probabilistic choice. The 
definition exploits a new method for labeling the synchronized actions using 
rational functions over the action labels, which, we believe, is of independent 
interest. We have also developed an alternative characterization of the testing 
equivalence, namely as a probabilistic version of the ready trace equivalence 
[1,21]. The definition of the latter uses Bayesian probability. It is intuitive and 
can be easily justified by a black box testing scenario akin to those in [4, 10]. We 
have also shown that it is congruence for all standard operators for the given 
model, including asynchronous parallel composition and priority. 

Internal nondeterminism It can be anticipated by now that combining inter- 
nal choice, probabilistic choice and parallel composition is challenging. Again 
"cloning" the internal nondeterminism after the probabilistic choice in a parallel 
context can "erase" the probabilities, which disallows distribution of prefix over 
probabilistic choice (this phenomenon has been also studied in [3,5,8,9,16,22]). 
Namely, consider the following game. The player X tosses a fair coin and hides 
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Fig. 5: Synchronized coin tosser(X) and result-guesser(Y~) 



the outcome. Player Y guesses the outcome of the tossing and writes it down. 
While he is writing down the result, player X waits (i.e. he may write down 
something meaningless). Then they both agree to reveal their outcomes, i.e. X 
to uncover the coin and Y to show what he/she has written[f| Obviously, the 
probability that the second player has guessed correctly equals i. However, the 
resulting graph for the synchronization of both players (Fig. suggests that 
there is a strategy such that player Y can always guess the correct result. On 
the other hand, if process X = wrt. rev. (head® itail) is synchronized with Y, the 
resulting graph suggests that the probability of reporting a © action is exactly 
h. This prevents equating processes X and X, i.e. allowing distribution of prefix 
over internal probabilistic choice. Indeed, in presence of internal nondetermin- 
ism, the testing equivalence of [25] and its variants have all been characterized 
as simulations [7,12,17]. The proposed solutions [3,5,8,9] to the problem with 
parallel composition suggest that the process composition needs to "remember" 
the outcome of the internal choice that a component makes locally. To solve the 
problem in our setting in the lines of these solutions, we also plan to enrich the 
internal transitions with labels that cannot communicate. Before composing all 
labels would be different. If the original process has, for example, two outgoing 
internal transitions labeled with l\ and 1%, then the composed process shall have 
transitions labeled with ; ^ and 7^+17- Fig. M presents the result of testing 
process X of Fig. [5] with process Y, assuming the internal transitions of Y are 
labeled with l\ and l 2 . Two processes would not be distinguished by a test if both 
results of testing are equal modulo isomorphism on the labels set. However, we 
leave the formal definition of this testing semantics for future work. 



5 Note the difference between this game and the example in Sec. \T\ - in the former 
there is no external choice in the original processes, while in the latter they don't 
have internal nondeterminism. 



I O I 

Related Work Process equivalences that allow 2 ^ ^ ^ ^ 2 

distribution of prefix over probabilistic choice o ^ o 

(i.e. unobservability of the random choice) ^ I ; 5> f 

have been a research topic ever since prob- ; 1 +; 2 ° fj+^ T[+i^ . ° . TI+I2 
abilities were introduced in concurrency the- 

ory (see e.g. [2-4,13,16,18,22,24]). How- r^, ri ri r| 
ever, only [16], [24], and, under certain con- o o 
ditions, [3], also allow distribution of exter- \\ \\ 
nal choice over probabilistic, i.e. equate pro- ° ° 
cesses s and s of Fig. [TJ In [16] probabilistic J J 
versions of broom (ready/failure) and barbed 

(ready/failure trace) equivalences are defined. pig g . Tegting with intemal 
These definitions use "probability functions" transitions 
that compute the maximal probability for a 

ready trace to occur (i.e. they do not generate probability spaces over the set 
of ready traces), which makes it hard to construct corresponding "black- box" 
testing scenarios. In [24], in the model with external choice, a process is defined 
as conditional probability measure over sequences of actions. This semantics also 
identifies processes (a + b) © i c and (a + c) ®i b. Obviously, this is not desirable. 
In [3] processes are enriched with labels, and a testing equivalence is defined by 
means of schedulers that synchronize with processes on the process labels. For 
a certain labeling, processes s and s can be equated. Although this is an ele- 
gant and compositional solution to the problem of overestimating probabilities 
in testing semantics, we believe that our approach is more feasible in practice. 
In fact, the task of the schedulers and the purpose of the process labels in [3] in 
our testing semantics have been accomplished by the rational functions formed 
from the action labels. 
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